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ft 1 2 2 2 5 (3. **^PaH,^^ 1102# 

Kfc. y-i^mm.i 20411 r^-t?* 




( 

1 

ffl «C T ? -fe X-T 4 3r8rC* -5 T , 
m?^7lf$gffl^y?xxb;^:5r&T?-feX\;?x 

* l flWBfcfiriBW 1 ? -f 7"fflf#ffl<o umb 

it, 

mf as i * -f 7it#fflc7) ij^xxbs, mier ? * x# 

X h lc&8 UTtt*&#« t . w eses U ?xx> 

tuiam i fWBtfKw* £ h ««oti:*r * r ? -tx^ 
8;. 

[ft*ii2 ] it*Ji i tmoTt^-xmz&^x . 
uneasy ?x* b#-^x?flsfg£flf i-Tv^s ifc^i 

tuiawfUfeiisa^T^-tex-rsx^, tufavx?t§ 

f gSrUfi 1 LTtSIB^X ? $ tutlfi. ffflBBl'lffg 

[f f*3f 4 ] ft 1 1 B«5^T ? -feX^r&KfcV » 
WET^-feXU^xXhS-^JgLT. miiar^-feX#S 

T?^x;frfe, 

[IWSI5 ] fflRPS 1 IBttOT^-teX^fcfe^T . 

tuia-ifigiH^a^M^a^-^^xT'S, o . 
mmi 9 * 7°mm<r> u ? xx elecw 

msBsacu ? x^ v a» % hue— ^xtcommmco 3 

* < i: fc —3 S- ■? X ? flttt t « * # S £ b frh 2r £ £ 
b ttmkk. f 6 T ? -fexSr^. 

[lfc£E6] lf*3SliBtt^T^-feXS-^*3UT. 
rnlB'IffSIEIi^a^f^M-r-^^-xT'* 0 , 

iffiar^-fex^*^ iraer ? tx#g^v^ . m 

1BWH ERE? U-X^CO 7 4 }V?WttlG&ffifrXtlX 
[ff$3g7] P«M<W'-?^~XffiT, T?-feX# 

MB— sJSLLSSRHWtf) 5 *>>J?& < i: *> — o£-?X 



2) §12002-312220 

2 

luiarav . mrlET ? -fcx^Kfc:*-^ *X , 

[ft*iB8] fi^7ia»<9r?-fex;^tei3vvc. 

10 lfiar?-feX^^, «fflBWHERE?o>-X*SS3EL 

t 7 < ^^attfi&^/ssesswH ere? n-x*#^ 
fine? ^?«f g*»z:o<oitfa«<o a ^Sr-mjs l, . 

mfiB^JSWHE RE ? a— 15137 4 ;k?^t^c «£ 

[IH&91 9 ] ff*JB 7ia*S«r ? -fcxjrSjfcis vvt . 
luiaH^S^'— ? <-x^-r- ? x.-x-^-^ rt fcS 
20 I,? bit. 

wia^-^ < fc — r?<oiaiv § xe**. ? 7 -f 
r> b >-xf-ATHfrlBii ?, *< i: t>— ocorav^fc-t-** 

&#mi:-r£T?-lrX^„ 
[ft^ll 1 0 ] WI 9l3ttOT^-feX^ife{c*JV^ 

tufB^- : 2r< b i>— o^llf^ i.XS#'ffrfB? 9 -f T > 
30 hi/XxAT'»fT§^-S£ ( k§ ! it@^-ri.T?-feX^' 

ctt^JSi 1 ] f»*ja9iamor?-fex^fc*3^ 

[ff^CR 12] T? -fcX#Sfc#oT«f6IB'^«^ 
ft L i ^7°a ?*5 A r? — K & a >- fc° A — ? ^< ^ 

|g 1 ? A 7°'rf #fflcOT?-feX U ?xx > ^vmh X 0 
tzm&Ztl* l-fKISl ?-^7°ffi#fflC0T?-teXU?XX 

luiBfS 1 ? -f 7-'»fgfflco y ?xx h £ ; mrfBT ? -fex^ 

Str^v*^ 1 ^flBgfflOSBe U ?xx h 
Si. -S. J; 5 teaWt§*L/t* 23— Hi:. 
ffsE'fS^IB'fig^SfcT ?-teX LT , WIET ? -tex U ? x 
X h fcJSG^ iTHSS^JStS <£ 0 (cflKSS ififcjg 3 3 
50 -Ft^Hi.. 



' J 



(3 

3 

[ft*Jll4] MSRl 2Eawyt*-^fcJ:4 

tan b^se y^xxb a*, tji 2— ^jjilo^j^io a 

mrer^-fe^ v where? u— x£-&>$>. % 
WHE REj?t3-Xrtfc7 <f ^?M«g^ffi^^-cMie 

? y A T > f- =? v tf a— ^ yxf a t ; -s— 3 ^ b* 

tJSlf— ayta-^yXfA^ I5fism3n-K 

Z&mt-TS. rj >b fc J; SflHSflat^x-r A. 
[ff*3Si7] Ifc&Bl 2IH»^3Vfc' , ^-^fcJ;-|, 40 

OTBf - 9 <-X1?w i-tfmmr?— 9^-XV-/ < 
-X$> 0 . 

msm 1 9 a ytimmco v^^xh — ?pj±.<wm 

[»*XI1S] fftftgl 7lHm03^b-i-?fc«fc2, 50 
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4 

~Xh 0 . 

tfiBT^-fexy^X^ h*«WHERE?D-XJM 

fulfill? 2 =r— WWZT9 -st . MIB 
WHERE ^a-X^)^fc7 ^^^et^S^SrAT-fu 

iy^fA, 

[ff*JS2 0] 9Btt03^l?a-^(Ci* 
fSfB^v-x-xAfcisv^T. 

[000 1] 

*¥%mi±. "r-?^-X<r>7 

[0002] 

t— 9 V — -X^-tfO i- — 2^uxt9 JzxWifrWirm 

WfflWLffLtfftiil. ■f-iDJ: ?%tfmte79*:X,L 
fcViA-TOT^-feXi (access privilege) 

[00 03]t*a-t t±flWg*MRT* "5 , ^^Ifc «fc o T 

[0004] ^etj'Srb'j. — i3\ ft^^VRlf/XXiffl 

MX% t, mi liffiMT—9 I N P T B A S E 1 0 0 

<o— fiflfc^u «Ui7J»B*nWBk. MD_iDti 

&7 ! -9$:%.2,c\ktimtItStiX\,^k{l&g-t&„ H2 
{4. *«Oi:#^46<35I NPT_BASE 1 0 o'fcfc 
JtSEfSOb'jL— *^LTV^S. PT_ID, VST, 



(4) 

5 

P_NM. RU\ MD_ID7^-;1/K(1 

X^h<DX\ W^±ntt<Vj6MmcD-T~ i b 
tfX'%1. H 0 L-X-, ID3&*2 2 2 2T-S>SlS#(=:i:'5 
T. SBtflIfflort|-C-S)S<# t* jL-fib'A-2 02k 
3r*. I D^'3 3 3 3T'S)l)E*^i:oT, b**— }4b* 
a-2 04h^ri>o 

[0005] AKStM^tV-it 

(Xttbi~ffr&) te«fc-o-Og»3;ft.#4. mli£. m 
3f4. H2T^$tl|.t'i— 20 2. 204, RX/20 10 

^(Oracle) XS'X-r AiD*§£-te{4. 

use r_i d{4.. SfT^Ou s e r__i dfcM~t*5|L 
BP^ SYS_CONTEXT ( r U s erenvj „ 
r s e s s i o n_u s e r j ) bW% ; &Z- 1 %ttC$> 
t. ) VfrVtt&h* H4<7)SQL3t^ll ; fTL.-C. MD 
_I Die J; 0^$*i^6fL*^JS6S*flHR^»&* 

JH§:» l> tl h o . H 2 f5fc£ fi* «J: 5 &j5rS&£>**&Sfc& 
4h bV-^y^yxXm^L «*. 

<50^t, BD^DRG BETWEEN1 2 0. 1 2 9£ 

* oajaate- b"*-&5£» u*»mi«r 

[0006] 

frVH&SkbLX. S^r5T7°y^— v-a 

L<fl;*:§-£S. l/vifv— V7h^*T*f!lfflU«l!tt-6 40 
[00 0 7] jilfe. stf, r?bxftij»£-##> 

-f&ZbtfX'^ h . W$g^X-r^l*l^T^-teX$iJP(4. 
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6 

?-teX;l~-;H4, (s, o, t, v) comz^-oXm^ 

i? h o <^4W? bX t x ? h s #'iTr & 

(a, s, o, t, p. f)#>£>2:9. afi, stcftflj 
( o , t , P ) hWS&&rT?&*. ? b "C* 0 s 

*LT-*s f{4, S**(o, t. p ) fcf&«0:*:/S*t 

[0008]^< CO-fe^ ij-r ^ ^r-VW4^3i5SWXK 
fctJV^TfiySStLTV^*. 7?«7>iJ.^X (Acce 
ss Matrix) ^Ev-VK T"< ^-^77yh (Take-Gran 
t) ^E-r/W, 7?i's>-xyf^f ^ (Action-Entit 
y) RTf. ^7~fy •X.VX—JV (Wood et a 

t. ) <zrfM±* ffigo-tr^f a yf -( ^•r^-ea h « 

[ 0 0 0 9 ] T. F. Lunt s D. Denning, R. R. Schell. 
M. Heckman. StX/^ W. R. Shckleyt= J; 0 . V7h»7* 
TKlBW* I EEE^i, #1 6^No. 6 ( 1 990* 
6^) 5 9 31-6 0 71, r^_b' A - • -fedpAU-r 

}>y— • T^-feX ■ ay>n-/l/ (Mandatory Access C 
ontrol, MAC) tfM^>5Xh • 3yf*-f ^ 
y^- . x (Trusted Computing Base, TC B ) ^E-r 

{4, W^*-— t^aT;^^!^ 

[ooio] i&co^-rMt, ^mv^jveo^ 'Jf -f 

^Ex/l-k L-t^ilityi^ ygf^-Tyf-'ta 
• ■ : E'fVl' ( Jajodia-Sandhu' s model) tXS^-^-f 
>-XWb ■ ^E-r/V (Smith-Winslett' s model) bt: 

■r/H4s x— ^<-X y^fi i; T7° U ^— 3 yb <n 

m^mm^tLXf-^^-xco^a. v=r< ^m^f-th 
toon] femcDt'^-zmm-thzbte. vm-m. 

(1) t-feyf^-yav ('fpg^r^-fex-f 

(2) b*a-jai*38ffl. HP*>ba.-^«^oTP a ( ]V5 

(3) *oWvv^*yii:*3Kaflrt-S. 
( 4 ) .*03R!V v£-*rtt££ff$-* . 



(5) 

[0012] %mcr>\za.— TJ4, T7*.^m J m<?i)V—)V 
54. rn^x^i^a yp&WmT'^mtzT? -txVZ 



to o i 3] 'fffgi/XT-A-b^fAy^^^fga. i (i 

3iM*ftlft?h.fzm3CXU, David F. Ferraiolo. John 
F. Barkely, RichardD. Kuhnid*. a.—- if&WlCO 

=? ^-tr h t,zm-3^x , T? -tz.mztt-$--t&mMzm 
< Jz^mmz lx v , 

[0014] 5 ^/1^8 i y^fi.li, A— f^l'&T 
U ^-ix{4. (1 9 9 9^7 J!) , 

:?<-X<7>ffr£j hSa^#tt<oix. Mary A. Davidson 

i,z£&&^m&mco'$~cmmztix^z. z^mmizj: 

i4, ^fif£$l££&V^f£|&*f-&0-t\ lfiWc^rJ 
<9/Jv£&-ffl£v.x?-M> (S3) <ri{4T#&v>„ 

1 ( 1 9 7 8*3^) . 9 21-1 
0 41, OhS&tf^ h fctoifcisJvv&HtfBOi&Sf 
f^^^a'Jf^j £:*IM£ttft£>;fx. F. 

y. <hini,z£z>mxx\ wm±.emfe%:m±-t&m9tf 

-HiUSa (1 9 9 4*£> . Castano. Silvana. Fugin 
i. G. Mariagrazia. Martella. Giancarlo. Samarat 
i. JtWierangelat X £> rc f— X-te^f a V x 
-f J . tACM Computing Surveys. g?2 l^No. 4(19 
89^1 2J3) . 51 5K~556jC. r^ff-^-^ 
-X : tiMmij tmmZftlf&tl^ Adam. R. Nabil. 
St/'John C. WorthmannfcJ; £#Ei„ £f7.£>0 

Kflflis ^ff±?)fif&J£p§rJU X(±. ^-7°®Hcoil 
[0016] T^-feX^g^^v^T, aBRfc-fc/H^ 
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[0017] 

^-t^f^r — ^jiLtco^— ^n—snzvm 

fit, x(4. ^^j^fits-y^— 
[ooi8] *aK*ofl&com«8i. ^-eti.c7)ff»ij^ 

2Mf^'J- (#RB:V-sMi-y-) ii£ y ^->~f 
4. 7 

[0019] *96W05Sfcffi<?!)WBWi v Jb^c7)-lr/WK 
20 [0020] ^SffiB^ffcx. * £ t tt. aSWEfffii: 
[002 1] 

x^^^r 7 0 0 fc^tcBffiJW* . T-dfx^f-cii= 

— > 7 2 2 {±7*- ^ <— >-X-r^ (DBMS) 
7 0 2 £ -t-AT-V ^ . DBMS !ifclO»f- ? 

30 x^-r^it* s 2>^. —^comifemmmmxu, d 
o 6ii, ^comimm±x'7 ; -^-^ 
nmw^m&mmzmpth . h^-^--{±. 

7 0 4(4. h-y-~^—t,zm& K> , DBMS^; 

(4, ^RoafSRfitiiTW^— hif— /n'— fcH^O. # 

[0022] 07{4, -!f-^N'-flimg3St*J^4-«6U 

^_^/<_ Xi? -_ / , s -_ 7 2 2{4. @t<03yta-^y 

v^S. EKSS^^— A— 7 0 6i:^x7'if— 
A- 7 0 4 bit. m<Da yh'j,-? 3 4l,zm 

U f-^<-^t-;M^^f|Lt v^s . Hist 
(4. ^x^—^^-i;^— hHf— tf4. ymcn?- 



(6) 

9 

(instantiation) T1f?£-f.£>£ k . 

A— # g# @t«3 y br a— ? ^fA £ tS*t" 
Sit* 1 **. 5£te*<<0X;U— Tyb*tiSH-4fc46 
te„ HIHte(4. #1?— A-ti s #S(:** : 5ry^fAF , 3 

— ^X-7\A# i £j£& . 
[0 0 2 3] DBMS7 0 2A.S0O.— 10 
^5-Y7 > >Nc07''7 , >-f''7 1 2£:frt/C?T*rfU StefS 
33ytWy^7 2 6±.T^f : f§iX.|.o 

(HTTP) , XS4, SSL7nh3/HOHTTP 
(HTTP S ) Sr-ffi-oT. *7 x.~?if— A— 7 0 4teH# E 

[0024] a.—- ffi^^if 7 1 2Sr^"LT , 7a:7 - '-f 
-A- 7 0 4 hiZWm LT h £#S . *SJCv 
P-tK- h^Tl— h 7 3 4 HBW - 5 . &te. ¥>TT 

A-7O6t0t. I'Stf— Mh- A— fix SSRSft.fcl-' 
TK-hf-^TV— ht=^**i.6'-oJSLh^Wv*6** 
Sr. 7-'— 2"<— XI?-— A— 7 2 2te3&W"f"&. I^zK— ]- 
-if— y >?— t t— ^ <— xif — ' k OHtr^-QJ^JES 

itmcomz. z coffin v^iy*isjfe6* v jjc — > -r-; 1 

$<9&V^5£te J £-«9i&:££:7:t-— vvht 30 
[ 0 0 2 5 ] HS {4. 14BJgfi*j«05t:*fc5tlt^$^7t^ 

<;K M/M»T^ U x b W<.jUtfM£.ixX^& k $M 
•th* HffV-^/^J-— if{4. i£TtfD-r— ^teT:?-feX 

£mi k X- *<-x*s#£»w t cofzMzfomtz 

[0026] E#f4. ESSE K ? ^-VA;W)x-f07 
?-l?Xli£^;t£>tL&. gif{4, «#ffi^O^SfcM-r 40 
^Iff-^ k . g***fW£Lfc7*-^ k teT?-kXT 
LjSMA* 1 ^ E#«4. jft^r^-f 

^teT^-teX^-Sik^fFRTSttTV^^. 3Ste, IS 
#t4, SB<S5E#07*— ^'teT^-t^f 4 it Srff^ft 
TVvfirv*. B8fcl^S#t^Hj«05t:i6OT^-feX^S 
te.fch.Br, E#J4, faOE#te J: r>T«MK3*ifcA#£ 
&<Dtcisb<izB&£ k * s t'# 3rv * . *<?M&1fin 

A* £ k 3b*T-* 0IR54*. B#2 2 2 2 H 2 te 50 
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1 0 

t5*t&J|5 1 JU - k j&^CS&V*. frt&t> 

{f, f£OE*3 3 3 3#ARENtf)|gl^£MgLT 

J607?-feX$g(:j:tl(l fck i.E*2 2 2 2#AR 
ENc0^2ffi^SrM«L.^kUt:t. -?-c7)lS^-{4ARE 
N«m 1 '<mcD?Ztbl l Zf;CD&W}ZM,& itWS^V 

-fex^i^wr-r^B^r ^•fex^a^ft-r s itt* 

4 . MteSif Stt^ i k {4. *56HSi4*cO J: a -te 

[0027] SfAte. 7?^X0J»', S«^»MteM 

h V^)VCT)=i--*rT 9 -feX &fiF$ tt-g> . M17t U X h 
i4. a«oja«fl!«oa^vK^^**^i{KE, * 

L^ifih, ffllTty^Mi E^-tei-pT^kSti 

^cor^-feXSr-rS i kf # 3rW 
[0028] 09teH9LTs IMDBMS70 2 <@ 
7 ) ffl<7)x— ^X^r— A 9 0 OWfftBJWHS^^TV^ 

4. jl— ifflWKft9 0 2 (USE R INFO) {4. * 

^-ifJl<0a--1ffa#i (MxJ4V JL-if|HlS9 1 2 ) ft 

tizMz-X. o.-if id7-f-^H92 2 k&M? -f 
K 9 2 4 k *^TV ^* . >f H Ut s H S <0T 

^■fex^gitete. ifffliOT ^ -fex ^ ^fe 

xftswaoTf-s . 

[0029] zjim&'mmm 0 4 (inpt_fac 

T) {4. S^teS^'V ^Xfthtitz^mmeoXWZ!&gm 
m (Mitf. A^%#ie«9 14 ) SfiWUTV^*. <t 

9 3 2 (VST) f4. -AO.S#<?)#a^/AI^I*a- 

*ltv^5. men? 4 —jvwmmv? 9— 

[0030] S*ffi#^9 0 6 ( PT_F ACT) {4. 

7-f-;l/F942 (PT_ID) , 1^ fir¥9 
4 4 ( P_NM ) s &W&'ffi#J7 ^-^'94 6 ( S 

EX) fc^TV^*. »ROlS#ffi#i£9 0 8 ( MD 

F ACT ) J4#(g#ffl<0flBgS-fr^V^. itL{4. M 

mmFff—I D7-f-/H<9 5 2 (MD_I 
D) . «|ff7^-/kH9 54 (D_NM) . mVE^F 
^^-^7^-/1^^9 5 6 (DEPT) £-§rATV^ 

[0031] 08S.VIl9teWbT. ^* i '-r'-^X^f 
-A 9 0 0 (cMM-ft i 3 ^rT^ -bx#gW)«**iWB 



1 1 

#t4. f^»7-f-;l-K9 3 3, DRG7-f-;l^F9 

3 5 . i§3E»M:7 ^-;l/F9 3 6, A 9 3 
7 s -f H 9 3 8 s ,&#ffi?ij:7 -71^ K 9 4 
6, EiRF^-g&FlT^-^Kg 5 6 fctf* 

Illtid7^-;L'H93 1, 9 4 2. jft#fiE»7 4 
-/1^H9 3 2, «*fe7-f-/UH9 4 4. E»H^^— 
I D7-f — K 9 3 4 . 9 5 2, ^.T/EiRK^^— ^7 
4 F 9 5 4fi*OE#tef!IfflWC»4-^S=5r^. 

4. 

[0032] 08 t?*S#tft J: 3 >5:fS:§U I I cojl— -fffl 

<nT9*z^m$, mm&mzz-ox cmcj^tt- 

S4&-V0 PT_ID, VST NBR, $.t>*P_NMO 

4 -5 t«t75-f hit w^rrr?*.*. zmmt & . 

a^^f &7tto0D^-fifiMffl { PT_ID, VST 
N B Ft } "C**. £:ft.&oWJi. Jft#ffi 

■fex#gfafi<«#tc 4 o tt? -fex mm Lx^htzsiz 

Ji, -eco^f-fflii: IPT_I D} ) EKH^^ 

■< J <.-}-m^zT9 J bX-ti,fzlfX'h?>. ttitSttz. -t 

^e*@#«r7-f<-hff#T^^«^-fc{±. md 

_IDtD_NMtlil«Sjl4^'3. ft-Jt. E#«0 

7*5 W hfiffgMD I D , DNM^^^tS^I 

^^Sr^-r^f^^-ffiJi^iJffl { MD_I D } 7? 

[0 0 3 3] &tn I^-WSELECT'FRO 

£T<7)PT_I D2K/P_NMJ«^iarr (vx^fl,) 
^T**. &i?&£>J£\ fSMOl I <do.— ' f BSRBHrtT 

fc3£itf"*^*"C'<l e >S : SELECT D I ST INC 
T a. PT_ID, a. P_NM. a. SEX FR 

OM PT FACT a. I NPT FACT bW 

HERE a. PT_ID = b. PT_ID.2Stt>\ 
b. MD_ID = lf(Oid s ZtOigr&lZlZ, { PT_ 
ID, VST_NBR| «)it«'3£tti-jTJlPT 
_I DaVP.NMm^ti^^SSESt* 
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1 2 

ACTh I NPT_FACTtJi^n^^t*S* 

<±, 7°9-f h-r— ^A*^.4>*i«>i t frW^TL*^** 

[0034] ±&(Q77*AMffl^&*0&T't&tlib 
fc, 3WMBI4«^!lfc:^x^«IB*4-jt*. £ 3 LT, 7 

zwuz^xrwrnzif-z-zzt i>x*z&. 

[0035] Ell 0J4. iP^P_NMffl<?5v 

x?mmi o o ooRwgtssLTc**. *^^mt 

. r^a-A'j PWf#i*a.— WaHtK 
3 -JUmomxO SQL^ 7HRK J: o T 5^1$ tlT 

[0036] VX^mtg 1 000 \Z—^>£Xk<D*-n? 
0 0 2Og^ffl*^T , V^. 
Ktt. RMES^S^SftfOflliOu'^^-^ 1 0 0 4 5fc*U 

30 ^§tUtMT'{4. P_NM 10 0 OffiOVX^MtlO^ 

fc, IP*>, K E Y_P T I D 

i KEY VST (1 00 2) b&tFfcLX^h. frg 

^*L**>i5>*c»6. -et-c, pt_idsvvst#i 

[003 7] -7X^SSg«I F_THEN_ELSE? 
a-XT 0 0 6^t^?,. I F^fefHt 7?*X# 
PMsi^Wsmi 0 0 &zmf&L. *ttii&£ktofiXT7 

«±=3f— ^ l o o 2commx'2b&. r^^xmk 

SfePW*T RUE i; ffpfiffi-f 4 s 7X ^ «ttttM«0 
Hi: LT**Offlc7)/N°7^— 9 1 0 0 4 y 9— yf 
&. 7^t^^WFALSEi:Sfft^t 
{4 . x 7 * — h fflA^OOffl fc LT • y ^->- $ tLS . 
[ 0 0 3 8 ] 01 0T^S^S*i^<^afi<!^RIBT' 

{4, 7 s 7=r-/t-b{i{4«i^3— j\>i o i oti-?T#EK 

*OfflWN"5X— ^ 1 0 0 4^£^&Mo£^|lflitt--£) 
50 4. fa^J6cDJF^T14. -rT^-zH-ffiii, **«ft 
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-I«AA, WiB, NULL, Xti. rffrtfrg^v^ 
7mj^J;3 Sr-r** b#f&fcf 3 £ fc 4 . 
■M^feft^-fe ^j-'Jf-i ffijf^Ji . f7t-;^ fit*' if 

[0039] HKW*^TI4, =«WlO-ltttaJB« 

[0040] 
[*1 ] 

rv <= iaaask.j3smeQspi, tpzt •-■ kpnj op). 

0, kpi, kpa, ■ ■ - , kp»(l •?X?£ S 1&Z:& > 
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[0041] «ttB3— /^iX^-itO^lltCfeitSftflsW* 
flt*ttU S Q Li^ S Q L^fi^ft t 

[0042] mTtfO^ I IStfWSteJ: S-««$rV.X7 
[0043] 

»1] 



y* Bt=BSM=S 

/* PACKAGE MASK 



3CJ JBC PESBBSSSSS 



= =ss = =it4S3*tBf3l»niB:=r3=3«:==3JSC;fcicatBta!j=r3S 



*/ 
*/ 



CREATE OR REPLACE PACKAGE FINVIEW>MASK AS 

FUNCTION P_NM(KEY_PT ID NUMBER, KEYJVST NUMBER, 0BO_P NM 
VARCHAR2J * 

RETURN VARCHAR2; 
FUNCTION DJNM (KBYJMD_ID NUMBER, ORGJDJSM VARCHAR2} 
RETURN- VARCEAR2 ; 
END MASK; 



CREATE OR REPLACE PACKAGE BODY MASK IS 

FUNCTION P_NM (KEY_PTJED NUMBER; KEYJVST, 0RGJPJBW VARCHAR2) 
RETURN VARCKAR2 

13 

BEGIN 

IP PII.THR.PT <KEY_PT_ID, KEY_VST) «1 THEN 

RETURN ORGJ?_NMf 
ELSE 

RETURN MASKED .P NM (ORGJ?_NM) f 
END IP; 
END PJNM; 

FUNCTION D_NM(KEY_MD ID NUMBER, ORG D_NM VARCHAR2) 
RETURN VARCHAR2 ~" 

IS 

BEGIN 

IF FIXiT3R.MD(EEY_MD_ID)»l THEN 

RETURN ORGJDJNMt; 
ELSE 

RETURN MASKED . D__NM (KEY_MD^ID , ORGJD^NM) ; 
END IP; 
END D_NM; 

END MASK/ 



/* KKaaBKBaBBBBSaBBCBBBn^lsS^WaBKaiiBBCtSttBBBBBBBKBaHnM */ 

/* PACKAGE FILTER */ 



CREATE OR REPLACE PACKAGE FILTER AS 



FUNCTION PT (KEYJPTJED NUMBER, KEVJVST NUMBER} 
RETURN NUMBER; 
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FUNCTION MD [KEYJMDJTD NUMBER, KEY VST NUMBER) 
RETURN NUMBER; 

END FILTER; 

CREATE OR REPLACE PACKAGE BODY FILTER IS 

FUNCTION PT(KEY_PT_ID NUMBER, KBYJVET NUMBER) 
RETURN NUMBER 

IS 

COT NUMBER; 
BEGIN 

/* — ./ 

/* FOR USER ROM TYP = 1 */ 

/ _„r _ J f 

IF SYS_CONTEXT f 1 SECURITY 1 , 1 ROLE_l 1 ) = 1 THEN 

RETURN 1; 
END IF; 

/* - ----- */ 

/* FOR USER ROLE TYP » 2 */ 

/* " „ 

IF S YS_CONTEXT { T SECURITY 1 , 'ROLE. 2'} « 1 THEN 

EXECUTE IMMEDIATE ~ 

•SELECT COUNT (*) * | | 

1 FROM ■ J ] SYS_CONTEXT { » u&erenv » , 

1 sess±on_jiBer 1 ) [ ] 1 .accs_ptvbt 1 f j 

« WHERK PT_ID « :KSY PT ID AND VST« : KEY__VBT 1 
INTO CNT USING KBYJFt.ID, KEY__VST ; 
IF CNT > 0 THEN 
RETURN 1; 
ELSE RETURN 0; 
END IF; 
END IF; 

/* - - - */ 

/* FOR USER ROLE TYP -3 */ 

/* 7- ~ - *) 

IF SYS_CONTSXT C 1 SECURITY 1 , , R0LE_3 t ) - I THEN 

RETURN 1; 
END IF ; 
END FTVST; 

FUNCTION HD (XSY_MD_ID NUMBER) 
RETURN NUMBER 

15 

CNT NUMBER; 
BEGIN 

/* */ 

/* FOR USER ROLE TYP m 1 */ 

/' ./ 

IF S YS_CONTEXT{' SECURITY 1 , 1 ROLE 1») « 1 THEN- 
RETURN 1; 
END IF; 

/* v 

/* FOR USER ROLE TYP « 2 */ 

/* ~t_t„ */ 

IF S YS__CONTEXT ( 1 SECURITY 1 1 ' R0LE_2 T ) - 1 THEN 
EXECUTE IMMEDIATE 
'SELECT COUNT (*) 1 | j 
1 FROM 1 | | SYS_CONTEXT C ' userenv ' , 

'session user') | | * .ACCSJMD 1 | | 
1 WHERE MD_ID m :XEY_MD_ID> INTO CNT USING KB Y_MD_ID ; 
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IP CUT > 0 THEN 
RETURN If 
BLHB RETURN 0; 
END IF; 
SHD IP; 

/* - 

/* FOR tXSEK_ROt>E TYP - 3 

f* " " • 

IF BYSJSONTEJCT C ' SECURITST ' , 

return; It 

END IF; 
BHD HP; 
END Ft&THR;- 
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'KOLBJ3') * 1 THEN 



*/ 



M7&t h ■tmbmmmm £ *vt v ^ t . # jnw* v^. ? » 

[0044] i/t, SKI FILTERAv*--^ 

Tjg* § tut 7 w JWWKfc* L/t v „ ro^ii s 

EP*>, PTOJtl^MDO^^^TV^^. PTOil 
{4, A'5^-^KEY PT I DtKEY VSTt 

lis Wltr'J ^-W-S. iiOUfft'li, #*Of£ 

LT {PT_ID_VST} Oi;xhi&a3^*36PT 
VST£=rf?>. 

[0 04 5] MD0 7^^Wt ;^j<—?K&Y 

Ji 0 Xi± 1 £ U * - VThg, .MAS Kfltt &tMA S 
y^-yW^tlT^I.. .T^W^fW. P_NM 

_NMOVJ*?«SH8#. ¥S«FILTER. PTJ 
a-^i"*. -etL*>6,s liMRtf IT* 
(4**<9ffiORG_PNM2-L7;?— y-Ti). ^LT. IS 
^'OTSIt^fcil MASKED. PNMHBRteJ: 
oT£j££i-U:VX:?ffi£ 1/ . D_NMiiP 



*(4 N NASKED. P_NMiiO RG P NM£f(t£r 

ifflU -£LT— 2u MASKED. D_NM(4KEY 
_MD_I DfcORG_DNMfc<^MS"Sr-ffifflLTVi 

[0046] Ell 1 1 2 0WLT. *SKatJ:4 

yrw- h 7 3 4 (H7) fD-o^-e-flfcWfcJLfcBS 

20 (4, ^SQLW^t^TV^. — «« 
4SQLHlV^*rWi, SELECTS**;*. 

JMWfc U ^SELEC T334*-<0|S]V v£*rt2tf)*i* 

[0047] *aMBfc«fc*lW. HiR^S!# 1210(1 

^JEV-jff— ff^V- J- 7 3 4 ' £#{£-$-.2.. ^Ml^ 
jK-hT-yri— h #>&&£I^V 1 2 0 2(4:** 

owws-jb-fci i o 2commx-fo-ox. %>&nmm&-? 

[0048] HRPfKS 121014. »)J?„tT?t 
**tteafi-3vvo** (0iRft£. H8) . 3S*3*i4J; 

af5*<0HJW&*>-^ 1 10 2(1 «RS*lfc|BJW^ 
M1202 J3SHR LT^-tb, r ? 

[0049] Mxff . *SW>imv v^*>^ 1102 

Xfoh¥\\±. PT_ID. VST, P_NM, MD_I 
40 D, $.t>\ D_NM (H9)TJb*. OT<0*I I (4ft 

[0050] 
[*2] 
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PTJD MASKJT_ID(cJPT_ID 1 iVST) PTJD 

VST MASK.VST(LPT_ID, iVST) VST 

PJNM MASKJ_NM<i.PT_ID I i.VST, p.P_NM) P_NM 

MDJD MASK_MD_lD(i AJTJJD) MD _ID 

D_NM MAS3KJJ_KMCiMDJD, mJDJJM) D_NM 



&*5. *Xlit'i-IDli, ^V^^ii-cOFROM^ 10 

r c . j s r i . j ^ r p . j % %xf r m . j 
12 1 014. SfJSS"r4«IB3-;W=J:-3Ts VX^Sfi 

* 1 2 0 2 fcfBSTS £ . «»»ESt±.* ? y^- KXf 
a. tfX^A^r — 3<0V7b*?x.TtZ* Xa, ^— 
^ < CDfifcfc&fficD 3 fc«o# fc-lfcoTHftSft* £ t # 

[0051] mi 2%mif&t. muimi 2 1 oa. 

**ORfv v^-*^ 110 2 SrBKrav 1202fc 
ttifrt>: esn^tUi.m^iy^i±. dbm 
S 7 0 2K3S4>tL. ^<?)4'T'^orfl^^^'^ i f Sft. 

£> . dbms a— fflc7)j.~if jgmni 1212 &-&x-e 30 

C 0 0 5 2 ] HI 2li. a.— r^mmn-ceo— 

ffit07 4/1^1*1612 24 fcSSL-O**. 7 4 )V? Wife 

-bx^acft -> t 5>j Sr ? -r & cot* dffl-rs *»&tc 

14. 7 ^^«BB4. fflBM^BHWc. fi= (ISM) £v 
T"{4. 7 -f ;k^ffil«4T R U E/F A L S E CD J; d 

'fty-ts'j^-m. -s-ttSrSQLrav^-frco 

WHERE? C?-Xf*rCffio T , ?ff§!lBk3M&{=fi§-9 T 'J 
[00 53] |g*3*ubgBI C0UJBJ4. iMf-?^ 

?&.V7 4 iv^mmm^wsiX'^ s z ta. 



[0054] mtmm 1210a, sh^l^— 

k , MIR^S* S «LV ^T'^f^tLi, £ b ififo h . *%BJtci3 

hh<^x\ z <D$m<vmm±z.)v—7° •> hcowba*>>t>M 

miRWm&DBMS 7 0 2fclESStlTV%&CDT\ 
IWS - k ^. >eiR«iffi{4 . WTIWtS ti4 ? 

[00 5 5] VX?^fg3^DBMSP ( ilte^$tLTV^ 
cot\ T?-fe.*.#SeDSMEt4, ~??-9m*7 
4 flsfm &zi$lf&]$.m%: V y -f h £3r£ . ©E#corr 

Wc^oTSIRSaSl 2 1 O* 1 ^^*. .Mitf, 
•?x??(Jh LTAGE59£Jn*fcv^fr£fc:«, 01 2cd 
**CDSQL#\ AGEM^7X»13 02J:1'9 
»i.4ifct:«t-5T, HI 3T^$.*L5±afc3S35S#i. 

[00 56] *^cOA#cW^HacD^ffi^HJ§fl^ 

^5^cDv r --?^^cD«HP 6 3'C»r-?. J; 3 (CM 
HSivfirv^. ^cDT-'-^^oaiS^cD^fflrt-cii^ 
f»T-S £ fc j^'Tt & o ^BJ^'mfr^^McD^Bfc 

*#9iP3r^cD^fcPl^$tL^v^ fc k 
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l*#&s sum* h»s -ftffl. mme&mz. unm 

[00 58] 

ncor^^x 9 mm^m-) x ^vv^v^r 9 -fe xm 
lx. ^x^mma. ~?x? ztLtimcom. io 

[00 59] ±fc. Zix?K<^W^W&tdtb<?>y * 

/utmm&m-ox , ^/wi^i^T^-fc^swipsritew- 

[00 60] 55t N ±^cr>-^)V^^)VC0T9^xmm^ 20 
[0mof8f*5rS&Hj?] 

[01 ] sWfii^T^MO^^ifjfc^ftfc—WS' 
[02] H1TS?3*U Sffcl^-JEWtotfSfcS 

ft h =f — $ <o t* a - mr & & . 

[03 ] 02 T^Silii t'A-tr#^-r b*,x— JSftfc 

c 04 ] mm Ltz s q ljc & ^-r0T-«> * . 

[05 ] ^fa-^j: 0^$tLJtb'A~CO* 30 
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[08] if-—¥T-7 j z. x^m^-m^-m^-tmx 

[09] -r'— Xi'X^Artfcfctt&iSX: 3 ?-— ^co 
MtffciSrrHT**. 

[010] *9Hmc J: *?.X?mBff>9g0i? i'TV- h 
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T7^XfflW(DT~*^?^CD?m*7J<tmT$>&, 
[013] T9*^W^<rySE&&)£<r>i. o tefcfgW 
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CREATE VIEW LNPT_FACT AS 

SBLBCT(CASE WHEN MDJQD m user-id THEN PTJQD ELSE NULL END>PTJD, 
(CASE WHEN" MD ID = user-id THEN VST ELSE NULL END) VST, 
(CASE WHEN MDJD = user-id THEN P NM ELSE NULL END) P_NM, 
AGEjSEX, 

(CASE WHEN MDJD = user-id THEN MD ID ELSE NULL END) MD ID, 
DRG,STA Y, COST,P YMT 
FROM INPT_BASE; 
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SELECT C.PTJD. 
IVST, 
p.PJMM, 

pAGE,p£EX, 
I. MDJD. 
nxDJvJM. 

LDRG.LSTAY,- 
FRCM INPT_FACT i, MD_FACT m, PTJ^ACT p 
WHERE i, FTJLD = p. FTJD AND L MDJD = m. MDJD AND- 



[04] 

m 4 



SELECT MD JD, OOUNTO VOL, 

AVG(STAY) AVG_STAY,AVG(OOSr) AVG_COST, AVG(FTMT)A.VG FYMT 
FRDMDCTJFACT 

GROUP BY MDJD ORDER BY AVG_STAYDESC; 
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m 6 



CREATB VTEWIKPT GRP BY.MD 

SBLBC7(CASE WHEN MDJCD * user-id THEN MDJD ELSE NULL END) MDJQD, 
COXJNTOVOL, 

AVG<STAY)AVG STAY, AVG(COST) AVGJCOST, AVG(PYMT) AVG PYMT 
FROM INPT_BASB*GB.OUP BY ME) ED ORDER BY AVG STAY BESQ 
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CREATE OR REPLACE PACKAGE BODY (scbcmajsame) .MASK IS 
FUNCTION PJ-JMCKEY_PTJD NUMBER, KEYJVST NUMBER, ORG J? JNM VARCHAR2) 

RETURN VARCHAR2 v ' \ 

IS 1002 1004 

BEGIN 

/* Policy Logic to decide whether or not we should mast the P_>IM */ 
/* If ws should mask the vahig, 1hen rrtiim mHsVffri va'tip;, nt'icr-wr** */ 
/* CTim the original Yaluc. */ 
TF (pdiky_axiditkm) — — -1003 
THEN RETURN ORG J>J-*M; 

/* Original Value *7 
ELSE RBn3BN r M^B0ERJP^^ 

\ f* Masked value defked by defturit mask value functon */ 

Lend if; -toio 

ENDPJNM; 
END MASK; 
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SELECT MASK. PT JD(c PTJD, L VST) PTJD. 
MASK. VST(L PTJD, i YST) VST, 
MASK. P_^M(i. PTJD, 5. VST, pi PJsM) PJ 
{MASK. AGEfZ PT/A /. VST, AG&AQEJ 
p. SEX, 

MASK. MDJDCi. MDJD) MDJD, 
MASK. P LNMCi. MDJD, m. D P LW 
iDRG,LSTAY,— 
FROM 3NPTJFACT L MDJFACT m, PT J*ACT p 
WHERE i. PTJD=p.PTJD AND L MDJD = m MDJD AND<" 



.1302 
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SELECT MASK. FTJQfc PZLZZ* Z POT?PTJD, 
MASK- VSTfi i=7L2?i VST, 
MASK.PJNW^J=7L2ai VST tJ pJLNfyVjm, 
p, AGE, tk. SEX, 

MASK. MDJD£ jUZLZQJMDja 
MASK. EJNM£ MD_IQ jtl J./^B.NM, 
i. DRG»i, STAY,"- 
BROW INPTJACT i, MDJ«ACT m, PTJACTp 
WHERE L FT JD=p.PTJD AND t MDJD=ra. MDJD AND" 
[AND FUJTHR, FTVSTff £ l ]i 




1210 
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DBMS 



12p2 



SELECT MASK. PTJI*fc .P7\£EJ i KS7?PTJD, 
MASK. V&T{ZPZUDL "PE^VST, 
MASK, PJNM& -KTiZU TOj^P WPJNM, 
t>. AGE, p. SHX, 

MASK, MDJD^ Ji^JDJMDJD, 
MASK. DJHM& A^fiCl m ZLAfl^DJJM, 
iDRG,i r STAY,«» 
FROM INPTJFACn MDJACT m, PT_PACTp 
WHERE i PTJD = pJTJD AND i. MDJD - m. MDJD AND-* 
[AND ^UJrEi£PT(T.ITir\ i Pg7g=l} 
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1 Title of Invention 

CeU-Lerel Data Access Control Using User-Defined Functions 

2 C 1 a ims 

1* A method for accessing information in an informatics store in 
accordance with an access policy, said method comprising: 

receiving an access request comprising a request for a first type of 
information, wherein said request for a first type of information has associated therewith first 
information contained in said information store; 

replacing said request for a first type of information with a modified request 
for a first type of information, said modified request being based on said access policy; and 

accessing said information store to produce a result in response to said access 
request, wherein said modified request produces either a masked value or said first 
information, based on said access policy. 

2. The method of claim 1 wherein said modified request includes a mask 

function. 

3. The method of claim 2 wherein said accessing includes executing said 
mask Amotion to produce either said masked value or said first information, 

4. The method of claim 1 further including modifying said access request 
to'include a filter function, said filter function effective for eliminating portions of said result 
in accordance with said access policy. * 

5. The method of claim I wherein said information store is* a relational 
database and said request for a first type of information comprises a SELECT statement, said 
SELECT statement comprising one or more column references, said modified request 
comprising a replacement of at least one of said one car more column references with a mask 
function. 
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& The method of claim 1 wherein said infbnnation store is a relational 
database and said access request includes a WHERE clause, said result comprising one or 
more rows of infoimation, said method further including incorporating a filter function in 
said WHERE clause to remove certain rows contained in said result, "based on said access 
policy, 

7» En a relational database, a method for accessing information in 
accordance -with an access policy, said method comprising; 

providing at least one query comprising a SELECT statement said SELECT 
statement comprising one or more column references; 

replacing at least one of said one or more column references with a mask 
function to produce a modified query; and 

producing a query result in response to said modified query comprising one or 
more rows of information; 

Wherein said query result includes, for said at least one of said one or more 
column references, either mask values or information from said relational database, based on 
said access policy. 

8. The method of claim 7 wherein said at least onje query further 
comprises a WHERE clause, said method further including modifying said WHERE clause to 
produce a modified WHERE clause, which, includes a filter function, said filter function 
producing one of two logical values, said modified WHERE clause effective for deleting a 
row from said query result based on a value produced by said filter functtoit 

9. The method of claim 7 wherein said relational database inprovided in 
a database server; said'step of providing includes receiving said at least one query at a client 
system; and said step of producing includes transmitting said modified query to said database 
server, 

10. The method of claim 9 wherein said step of replacing is performed at 
said client system 

1 1 . The method of claim 9 wherein said step of replacing is performed at 
said database server. 
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12. A corcrpirtdr-bascd information retrieval system comprising: 
compute memory haying computer readable program code embodied 'thereb 

for accessing an information store in accordance with aa access policy, said computer 
readable program code comprising: 

first code configured to receive an access request for a first type of 
information^ wherein said request fbr a first type of information has associated therewith first 
information; 

second codo configured to replace said request for a first type of 
information with a modified request for a first type of information, said modified request 
being based on said access policy; and 

third code configured to access said information store to produce a 
result in response to said access request, wherein said modified request produces either a 
masked value or said first information, based on said access policy, 

13. The system of claim 12 tether including fourth code configured to 
modify said access request to include a filter ftinction, said filter function effective for 
eliminating portions of said result in accordance with said access policy, 

14. The system of claim 12 farther including a relational database and said 
request for a first type of information comprises a SELECT statement, said SELECT 
statement comprising one or more column references, said modified request comprising a 
replacement of at least one of said one or more column references with a mask function. 

15. The system of claim 12 further including a relational database and said 
access request includes a WHERE clause, said result comprising one or more rows of 
information, said second code further configured to incorporate a filter function in said 
"WHERE clause to remove certain rows contained in said result, based on said access policy. 

16. The system of claim 12 further including a client computer system and 
a server computer system, said client computer system comprising a portion of said computer 
memory embodying said first and second codes, said server computer system comprising 
another portion of said computer memory embodying said third code. 
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17* The system of claim 12 wherein said database server is a relational 
database server, said request for a first type of information comprises a SELECT statement, 
said SELECT statement comprising one or more column references, said modified request 
comprising a replacement of at least one of said one or more column references with, a mask 
function, 

1 &. The system of claim 17 wherein said ted code includes mask 

function, 

19- The system of claim 16 wherein said database server is arelational 
database server, said access request includes a WHERE clause, said result comprising one or 
more rows of information, said second code further configured to incorporate a filter function 
in said WHERE clause to remove certain rows contained in said result, based on said access 
policy, 

20. The system of claim 19 wherein said third code includes mask 

function. 

3 Detailed Description of Invention 

BACKGROUND OF THE INVENTION 
The present invention relates generally to database access and iii particular 
to controlled access to fields in a database. 

Today's information technology enables one to experience seamless access 
to various kinds of data sources. Such technology makes accessible to people 
increasingly greater amounts of information. However, data sources often contain critical 
infonnation such as medical records, financial records, and other similar personal 
information which should be protected from unauthorized access, requiring access 
privilege of those who desire to access such information. Database systems have evolved 
to provide a set of data access control functions using view definitions and authorization 
models. • 

A view is an information object that allows you to view data in a normal 
table, but in a different way* It is a logical dynamically defined table comprised of 
portions of fee fixed tables which constitute the database. Views provide a method for 
looking at data in the underlying tables without having to duplicate the data. 
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The traditional view cart control access to data in the database on either a 
row-level and/or a column level basis. Fig. 1 shows an example of hospital Hnt n 
INPTJBASE 100 that contains inpatient information and aggregated inpatient 
information grouped by MDJEX Assume that each physician is permitted only to see 
his/her patient visit Fig. 2 shows the desired views of INPTJBASE 100 for each 
physician. The PTJD, VST, P_NM and MDJD fields are selectively made invisible to 
protect the privacy of each patient so physicians can only see data for their own patients. 
Thus/ for the doctor whose ID is 2222, the view that should be available to that doctor is 
the view 202, For the doctor whose ID is 3333, the view is view 204. 

A view for the inpatient table can be defined by a conventional view 
definition (or view creation). For example, Fig, 3 shows a view definition that produces 
the views 202, 204, 206 shown in Kg* 2. (Note that user-id can be replaced with an 
expression that returns the current user-id, e.g., $YSjDONTEXr('userenv \ 
'session jiser *), in the case of an Oracle database system) However, if we execute the 
SQL statement in Fig. 4 to get the aggregated inpatient information grouped by MDJDD, 
each physician will get different results such as shown in Fig. 5. 

To get the desired aggregation result shown in Fig. 2, we can define a view 
shown in Fig. 6* However, we must define all possible combinations of aggregation 
views to allow ad-hoc multi-dimensional analysis, This brute fbrce approach greatly 
increases the view maintenance cost significantly, For example, if a physician wants to 
see the statistics of specific a DRG piagnostic Related Group) e.g,, £>RG BETWEEN 120 
and 129 \ then we must define a view that aggregates the subset of data grouped by 
MD_ID separately. Since each physician may want to see a different subset of data, it is 
almost impossible to prepare this view beforehand. 

Current systems solve this issue by implementing access-control policies 
as apart of the application logic. However, there are multiple applications in a typical 
system. Consequently, an access policy would have to be implemented in each of the 
different applications, a task which significantly increases the maintenance cost of the 
access policy. In cases where legacy software is being used, the effort may be completely 
frustrated. 

Database protection can be obtained through a variety of security measures 
including: flow, inference, and access control. Access controls in information systems 
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are responsible for ensuring that all direct access to the system object occurs exclusively 
according to the models and rules fixed by protectionpolicies. Access controls are 
enhanced to a content-dependent access control model for database systems. In tie 
conventional view definition based on content-dependent access control model, an access 
rule can be represented by the tuple (s, o, t, p), which specifies that a subject s has 
access t to those occurrence of object o for which predicate p is true. An enhancement of 
the model comprises a six tuple (a 5 s r o, t r p, f), where a is an authorizes: subject who 
granted s the rigjit (o, t f p}> while f is a copy of a flag describing the possibility for S to 
further transfer (a, t, p) to other objects. 

Many security models have been proposed in the prior art literature. The 
Access Matrix model, Take-Giant model, Action-Entity model, and Wood et al. model 
are discretionary security models, A user query is checked against the authorizations. If 
it is allowed, the query accesses the object in a specific access made. Otherwise the 
access is denied. 

In a paper by Lunt, T. F. s Denning, D., Schell, Kl EU Heckman, M. , and 
W, R. Shockley, entitled "The SeaView Security Model " IEEE Trans, on Software 
Engineering , Vol 16, No. 6 (Jim. 1990), pp. 593-607, a security model kaown as the Sea 
View model was proposed to protect security of relational database systems by using two 
layers; Mandatory Access Control (MAC) model and Trusted Computing Base (TCB) 
model, S ea View controls multilevel data access by generating virtual multi-level 
relation instances from physical single-level relations. 

Other models include Jajodia-Saadhu's model and Smith-Winslett's modBl 
which have been proposed as multilevel security models. Security policies for these 
models generate virtual multilevel relation instances. These models use a commutative 
filter that is placed between a database system and applications to implement database 
security. 

Processing a conventional view includes the following typical steps: 

1) Authentication, 

2) Apply view definitions, i.e., rewrite a query according to view definitions. 

3) C^tinuze the query. 

4) Execute the query. 

5) Return results. 

In the conventional view, access control rules are applied to a query before 
execution. The query cannot access a column that is not a member of the proj ection 
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columns- Furthermore, if a user defines a function that blinds the column value as a 
projection object, the query cannot access the original value cither. 

Femriolo, David F., Barkley, John F„ andKubn, D, Richard, in a paper 
entitled "A Role-Based Access Control Model and Reference Implementation Within a 
Corporate Intranet/* Ttans. Baf Syst. Secur. 2, 1 (Feb. 1999), pp. 34 - 64, describe a role- 
based access control that gives access privileges based on the concept of user-roles. 

The Oracle 8i system has a fine-grain access control using a virfnal private 
database, which is discussed in a white paper by Davidson, Mary A., entitled "Creating 
Virtual Private Databases'wiih OracleSrV ' Oracle Magazine, (My 1999), This function 
enables a database designer to add a selection condition string automatically whenever a 
user accesses the table. The condition string can be generated based on any value, e.g., 
context values and session values. However, the condition eliminates the rows that do not 
satisfy it, and so we cannot mask a subset of the columns in a row. 

A security model has been proposed for statistical database systems to 
prevent statistical inference, in a paper by Chin, F. Y., entitled "Security in Statistical 
Databases for Queries with Small Counts," ACM Trans. Database System, 3, 1 (Mar. 
1978), pp. 92-104, There are three techniques for inference protection, i.e., conceptual, 
restriction-based, and perturbation-based techniques, see for example 'Database 
Security," by Castano, Silvana, Fugmi, Mariagrazia G., Marietta, Giancarlo, and 
Samarati. Pierangeta, Addison-Wesley Publishing Company, (1994) and a papier by 
Adam, Nabil and Worfbmann, John C, entitled "Security-control Methods for 
Statistical Databases: A Comparative Study/' ACM Comp. Surveys, Vol. 21, No. 4, (Dec. 
1959), pp. 515-55S. These techniques suppress the statistical values ox restrict a 
combination of group dimensions. However, the techniques do not provide a fhnction 
that suppresses a dimension value itself, Therefore, they cannot define an access policy 
for aggregation results such as shown in Fig. 2. 

There is a need for flexible cell-level data access control technique based 
on access policy. An access policy implementation is needed which can reduce system 
costs. 

SUMMARY OF THE INVENTION 
The present invention provides cell-level access control using mask 
functions for each access controlled column. Each mask function is associated with one 
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or more key parameters which detennine the access permission. The mask ftmction 
returns a masked column. Yalue or an original column value, depending on the access 
policy embodied in the mask iunctioiL 

Another aspect of tike present invention provides cell-level access control 
■using filter functions for each row elimination policy. Each filter Sanction is associated 
with one or more key parameters. The filter function returns a two-category (e.g. binary) 
Yalue, A condition for checking return value of the filter function is added to a condition 
clause in a query to eliminate rows in accordance with the row eliniinafion policy. 

Still another aspect of the invention is a reporting system which provides 
the foregoing cell-level access control medhanisms. 

BRIEF DESCRIPTION OF THE DRAWINGS 
The teachings of the present invention can be readily nnderstood by 
considering the following detailed description in conjunction with the accompanying 
dtewings: 

Fig. 1 illustrates an example of a data organization for hospital-related 

data] 

Fig. 2 illustrates the views of the data shown in Fig, 1 , typically required 

by physicians; 

Fig. 3 shows a view definition which produce the views shown in Fig. 2; 
Fig. 4 shows a SQL statement with aggregation; 
Fig, 5 shows the result of an aggregation inquiry on a view defined by a 
conventional view definition; 

Fig, 6 shows a prior art view definition with, aggregation; 
Fig, 7 sltows web-based reporting system architecture which can be' 
adapted with the present invention; 

Fig* 8 illustrates atypical example of a data access policy; 

Fig, 9 shows an illustrative example of a table schema in a datab ase 

system; 

Fig. 10 shows an example template of a mask function according to the 

invention; 

Fig. 1 1 illustrates an SQk prior to modification; 

8 . 



J 



(2 5) #12002-3 1 222 0 

Fig. 12 shows an overview of the cell-level access control architecture in 
an embodiment of the invention; and 

Fig. 13 illustrates how changes to the access policy can be readily 
accommodated in the present invention. 

DESCRIPTION OF THE SPECIFIC EMBODIMENTS 

Referring to Fig. 7 3 an embodiment of the present invention can be 
described in connection with a web-based reporting system architecture 700. The 
architecture comprises three server components: A database server 722 includes a 
database management system (DBMS) 702. The DBMS can be any conventional 
database system. In one particular illustrative embodiment, the DBMS is a relational 
database system. A report server 706 is in communication with the database server over 
conventional communication facilities, the specifics of which depend onihe particular 
embodiment of the invention. The report server includes a plurality of report templates 
734 to facilitate its function of providing report generating services. A web server 704, in 
communication with the report server, provides client-side access to the DBMS. The web 
server communicates with the report server over conventional communication facilities, 
the specifics of which depend on particular embodiment of the invention. 

Fig. 7 shows a typical software and hardware configuration of the server 
components. The database server 722 typically occupies its own computer system, 
including a high capacity storage subsystem. The report server 706 and the web server 
704 are shown residing in another computer system 734, separate from the database 
server. In practice, the web server and the report server may be comprised of multiple 
instantiations of web server processes and report server processes to achieve a desired 
throughput It is noted that many alternative configurations are possible; e.g., a single 
computer system can be used to host all three servers components in a small scale 
operation. In a large installation, each server my occupy its own computer system. Each 
server may in fact comprise multiple server systems in very large systems in order to 
provide even greater throughput. 

User-access to theDMBS 702 is made via a browser client 712, executing 
on yet a third computer system 726. The browser communicates with the web server 704 
using the hypertext transport protocol {HTTP) or HTTP over SSL protocol CHTTPS). 

A user will interact with the web server 704 via the browser 712 to obtain 
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a report. First, a report template 734 is selected. Nest, a set of parameters for the 
template is provided The web server passes a template identifier corresponding to the 
user-selected report template along with the user-provided parameters to the report server 
706. The report server issues one or more queries associated with the selected report 
template to the database server 722; After some appropriate interactions between the 
report server and the database server, the results of the queiy(ies) are returned to the 
report server. The report server receives the results and formate them into a presentable 
form which is then delivered to the user through the web server. 

Fig. 8 is an example of a simple data access policy showhmerely for 
illustrative purposes. In this example, assume that three access levels axe desired; 
executive level; medical doctor level, and financial analyst level. An executive level user 
is allowed to access all of the data, Typically* this systemis for administrator p ersontiel 
and database management personnel. ' 

A physician would be accorded the privileges of a medical doctor-level 
user* The physician should be able to access patient data relating to treatment of the 
patient visit, and data that the physician generates. However, the physician is not allowed 
to access certain of the patient's private information; e.g. credit card information. 
Fiirthermore, a physician is not allowed to access the data of another physician. 
According to the illustrative access policy described in Fig, 8, a physician cannot see the 
patient name for the patient visits that were treated by the other physician, even if the 
physician treated the patient's other visit. For example, physician 2222 cannot see the 
patient name for the first row in Fig. 2, since the other physician 3333 treated AREN's 
first visit. Therefore, according to the illustrative access policy given in Fig. 8, even 
though the physician 2222 treated AREN' s second visit, that physician cannot see the 
name for ARENAS first visit. It is understood that there are other access policies which 
allow access to the data in such a case* It is understood that the present invention can 
provide for such access policies. 

Finally, access control is provided for financial personnel This class of 
user is given financial analyst level user access. The financial analyst can access 
financial information such as stay, cost, and payment, including certain of apatient*s 
financial information. However, a financial analyst should not have access the kind of 
data needed by aphyaician, 
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Rcfexring to Fig. 9, a illustrative example of a data schema 900 for the 
relational DBMS 702 (Fig. 7) is shown. A user information tabic 902 (U3ERJNFQ) 
contains a user record (e.g, 3 user record 912) for each user. Each record includes a user-id 
field 922 and a role field 924, in addition to other user-related informatioii 926. The role 
field identifies the access level privileges for each user, per the access policy of Fig, 8. 

An inpatient information table 904 ( IN?T_FACT) maintains an inpatient 
record (e.g. inpatient record 914) for each visit made by a patient. Consequently, a 
patient is very likely to have multiple entries in this table, one for each visit A patienMd 
field 93 1 identifies the patient. A patient-visit field 932 (VST) indicates each 
visitfadmission occurrence of a patient. Another field is the medical doctor ID field 934, 
which contains ah identifier of the treating physician. 

A patient information -table 906 (PTJPACT ) contains a patient record for 
each patient Each record includes a patient-id field 942 (pTJD), a patient name field 
946 (PJSuVQ, and a patient-sex field 945 (SEX). A similar physician information table 
908 (MD_FACT) contains infprmation for each physician. This might include, for 
example, a medical doctor ID field 952 (MDJD) 3 a name field 954 (DJNM), and a 
medical doctor department field 955 (DEFT). 

Referring now to Figs. 8 and 9, the effect of the access policy as it relates 
to the- date schema 900 will be described. Consider, for example, role H-users. Recall 
that a role n user is a physician. A physician should only be able to view certain 
information for only those patients treated by that physician* Thus, it can be seen that the 
patient age field 933, the DRO field 935, the length of stay field 936, the cost field 937, 
the payment field 938, the patient-sex field 946, and the medical doctor department field 
956 can be viewed by the treating physician. However, the patient-id field 93 1 and 942, 
the patient-visit field 932, the patient-name field 944, the medical doctor ID field 934 and 
952, and the medical doctor name field 954 should not be available to a physician if that 
patient visit was not treated by that physician or if that information is the physician's own 
data (e.g., a physician can see his name). Thus, the result of inquiries to the schema 900 
should include all data for those patient visits that were treated by the inquiring physician, 
and partially masked data for those patient visits that were not treated by the inquiring 
physician. 

The access policy for a xole II user as shown in Fig. 8 reslricts the access 
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to the patient private information such as PTJOD, VSTJNBR* and PJSfM by a patient visit • 
(not by a patient). Therefore, the key set to determine whether &e patient private 
informsiion should be masked or not is the column set {PTJD, VST JNBR}, since these 
columns are primary keys for the patient visit object. (Ef the access policy restricts the 
access by a patient, the key set is {FTJX>}). As for medical doctor information, a role II 
user can only access his/her own privacy information. Therefore, the MD JD, and 
DJNM will be blinded if it is not his/hers. Therefore, the key set to determine whether 
Qie physician's private information MDJDD and DJNM should be masked or not is the 
column set {MDJD} . 

If a role H user issues the query such as: SBLECT * EROM PT_FACT; 
then, all PTJD, and PJNM columns should be blinded (masked), because a role II user 
should not get the patient list in the hospital. A role H user can only make his/her own 
patient list. To make his/her own patient list he should issue the following query: 
SELECT DISTINCT a.PTJD> a.P_NM 3 a,SEX FROM PTJFACT a, INPTJFACT b 
WHSKJE a.PTJD « b J?TJE> and b-MDJD physician *s-icL 3h this case, we can 
determine whether the columns PTJE> and PJNM! should be masked or not by nsing the 
value of {PTJD, VSTJSTBR}, since the queiy joins the PTJFACT and INPTFACT. In 
conclusion, we will not allow to be seen the private data if the key columns of the objects 
to detetroine the mask are not covered by the tables in the query. 

To implement above access control policy, the present invention provides 
mask fhnctions for each column. Thus, if the access policy denies access to a column 
under certain conditions, that column shouldbe masked (blinded). In accordance with the 
invention, amask&nctionis therefore provided for that column. Note that if acolumnis 
not blinded in current access policy but may be blinded in the future access policy, we 
can also provide a mask function for the column. 

Fig. 10 shows an illustrative example of a mask function 1 000 for the 
patient name column, P_NM. In accordance with an embodiment of the invention, mask 
functions are defined by conventional SQL-type syntax for user-defined function calls, 
sometimes referred to as. << ^toredprocedures u f "aprocedure call", and so on. Itis. 
understood that the idea of a mask function may be implemented in other ways. For 
example, the SQL language can be redefined to include mask function capability, The 
use of user-definable functions, however, has the advantage of not having to provide for a 
custom S QL language. 

12 
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The mask function 1000 includes an associated set of one ormoie key 
parameters 1002. The mask function also has an associated original value parameter 
1004. As will be explained, fee one or more key parameter form fee basis for deciding 
whether a masked column will be displayed or whether it will be masked. La fee example 
shown in Fig. 10, there are two key parameters: KEY_PT_ID and KBY_VST (1002) in 
fee mask function for P_NM 1000, since fee access policy" for a role H user requires to 
protect patient private information by patient visit. andPTJD and VST is a key column 
for fee patient visit object 

The mask function includes an IF-THEN-ELSE clause 1006. The IF 
condition constitutes access policy condition logic 1008, which is defined in accordance 
wife fee access policy in effect. The access policy condition logic is af motion of fee key 
parameters 1002. If fee access policy condition evaluates to TRUE, then fee mask • 
function returns fee original value parameter 1004 as fee column value. If me access 
policy condition evaluates to FALSE, a default value is returned as fee column value. 

In fee embodiment of fee invention shown in Fig. 10, fee default value is 
produced hy a function call 1010. In tHs particular illustrative example, the default value 
is some function of fee original value parameter 1004. In another embodiment, the 
default value may be based on information not limited to fee original value parameter, hi 
yet another embodiment of the invention, the default value can be a fixed output; e.g. 
NULL, or a text string such as 'TJnanfeorized Access", and so on. The operating 
conditions, security considerations, and fee Kks will determine how fee default value 
would b e determined. 

hi a general form, a mask function according to one embodiment of fee 
invention has fee following syntax: 

rv <= mask_name(kpi, kp 2j . .. kp„, op), 
where rv is fee return column value of fee mask function, .' 

kp t , kp2, . . . kp,, are fee key parameters used to determine whether masking occurs, 

and 

op is fee original value of fee masked column. 

The specific syntax of the function call and its definition will vary from 
one SQL implementation to another. . Such details are known and understood by those of 
ardiiiaiy skill in fee database art. 
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Table I below is an example of a typical mask ftcaction according to ths 
invention, Also shown is a filter function, according to the present invention. 

TABLE I 

/* PACKAGE MASK */ 

CREATE OR RBPLACB PACKA0E FINVIEW* MASK AS 

STIKfCTIQN P_NM £KEY_ET_ID NUMBER , KHYJVST NUMBER, 0!RGJ?_HM 

HSSrDRW VARCTA&2; 
FUNCTION DjHM(XSY__HD_:n3 NUMBER, ORG_J3_NM VARCHAR2 ] 
RETURN- VARCHAR2? 
END MASK; 



CREATE OR SEPiACS PACKAGE BODY MASK IS 

FUNCTION P NM<KBY_OT_ID NDMB2R, KEY_VST , ORGJPJHM VARCHAX2) 
RETURN VAR.CHAR2 

IS 

begin* 

IF rajjTBR.PTCKBYJPT^ID, KEYJVST)"*! THEN 

RETURN OR(5J?JNMj 
ELSE 

RETURN mBKED.BjmiORQJBJM) f 
END XF; • 
END FJSM; 

FUNCTION D_NM(KEYJMD_rD NUMBER, ORjGJDJSM VARCHAR2} 
RETURN VAR.CHAR2 • 

IS 

IP FILTER. HD (KBYJMD_ID) «1 THEN 

return orsjpjhS; 

. ELSE 

RETURN KABKBD.DJNM(KBYJ4P_n3, 0RGJU_NM) ; 
END IF | 
END D_NM; 

EKD MASK./ 

/* PACKAGE FILTER *^ 

CREATE OR REPLACE PACKAGE FILTER AS 

FUNCTION PT (KEY_PT_ID NUMBER/ KEY_VST NUMBER) 

RETURN NUMBER? 

FUNCTION MD{KBy_MD_II? NUMBER, KEY^VST NUMBER)' 
RETURN NUMBER/ 

END FILTER; 
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CREATE OR REPLACE PACK3LGE BODY FILTER 13 

FUNCTION PT {KEY_PT_ID NUMBER, KBYJFST NUMBER) 
RETURN" NUHBBR 

IS 

cnt NUMBER; 
BEQIN 

/* — - - V 

/* FOR USERJRQLB TYP - 3. */ 

/* — */ 

IF SYS_CQNTEXT( 'SECURITY* , 1 ROIiE_l ' ) - 1 THEN 

RETURN 1; 
END IF; 

f* */ 

/* FOR TJS2R ROLEJTYP « 2 */ 

/* ~- */ 

IF SYS__CONTfiXT ( ' SECURITY 1 r 'RDLE^') « 1 THEN 

EXECUTE' IMMEDIATE 

'SELECT COUNT (*> 1 | j 

1 PROM » { | SYS_CONTEXT < » userenv ' , 

' sesaiorijxser 1 ) | | 1 „ACCS_JPTVST 1 | 

1 "WHERE FT_ID «=' : KE Y_JPT_JED AND ~VST~ j KEY_VST r 
INTO CKT USING KSY_PT_ID, KBYJVST f 

IP CNT > 0 THEN 
RETURN" 1; 

ELSE RETURN 0; 

END IP? 
END IP; 

/* t */ 

/* FOR USER ROX-E TYP • 3 */ 

/* ~ Z — */ 

XF SYS_CCNTEXT{* SECURITY 1 , »ROLE_3*> « 1 THEN 

RETURN" 1; 
END IF;-. 
END PTVST; 

FUNCTION MD(CTY_MD_XD NUMBER) 
RETURN NUMBER 

IS 

CNT NUMEER; 
BEGIN 

/* */ 

/* FOR TJSER__ROLB TYP •* I */ 

/* - .-' */ 

IF SYS_CONTEXT { 1 SECURITY 5 , ^OLB^l 1 ) - 1 THEN 

RETURN 1; 
END IP/ 

/* — ----- - */ 

/* FOR USSR ROLE TYP « 2 V 

/* - r T */ 

IF SYS_eONTEXT[ ! SECURITY 1 , 'ROLEJ2 » ) - 1 THEN 

EXECUTE IMMEDIATE 

» SELECT COUNT{*) 1 \ | 

' FROM r I I SYS CONTEXT ( 'userexLV , 

• sessionjaser 1 ) ] } ' .ACCSJ4D 1 | [ 

1 "WHERE MD ID m ;KEY MO IB 1 INTO CNT USING KKY_MDJIDj 



15 



r 



(3 2) #Fl2002-3 1 222 0 

X5* CNT > 0 THEN 
SATURN X; 
ELSE USTURN 0; 
HND IF; 
BKD IF; 

/* - */ 

r„ */ 

IF S YS_C03JTE£T ( 1 SECURITY 1 , f R0I*S_j9 1 } = 1 THEN 

BHD j 
END MD j 
END FILTER j 

The mask :&mctLon shown is provided merely to illustrate a typical 
example of an embodiment of tie invention Addition mask functions may be needed 
depending on the complexity of Hie database. Tie specific implementation will depend 
on the programing language in use. The specific algorifea with vary depending on the 
specific requirements affile access policy in force. Persons of ordinary skill in the 
database arts will readily understand how to practice the invention in the context of a 
particular database system installatforu 

Table I also shows a filter function which is defined in the FILTER, 
package. Two functions are provided, FTQ and MDQ. The FTO function has a 
parameter KEYJPTJD and KEYJ/ST. It returns 0 if the data should be masked and . 
returns 1 if the data can be displayed, based on the key parameters and a/user role. In this 
implementation, each role H user has a- table PTVST tot keepB the list of {FT JD 3 VST} 
for all patient visits that he/she treated. 

The MDO fitter function has a parameter KBYJMD_ID. It returns 0 or 1 
in the same way as PT Amotion. MASK functions are defined in the MASK package. 
This example only includes the mask function for PJSM and DJNM. FJNM mask 
function first calls the policy function FrLTHR.PT. Then, if the result is 1, it returns the 
original value, OROJMSFM, and if the result is 0, it returns the masked value that is 
gensratedhy MASKED .PJSfM function. D_NM does in the same way as PJNM, Note 
that we can define any parameters to create masked values. In this example* 
MASKED JP^NM uses only ORGJPJNM, while MASKBD J>_NM uses both 
KEY_MDJD and ORGJDJNM* 

Refetringnow to Bigs. 11 and 12, anilhistative embodiment of a cell- 
level access control architecture in accordance with the present invention is shown. Fig. 
11 shows a query 1102 that would typically be found in one of the report templates 734 
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(Tig. 7). The query is written using conventional SQL constructs. Atypical SQL query 
includes a SELECT statement, speciiying one or more colunm references (sometimes 
referred to as attributes, fields, etc.), which constitute the result of the query. 

In accordance with the invention, a translation procedure 1210 is applied 
to queries comprising the report templates to produce modified report templates 734*. 
The queries 1202 comprising fee modified report templates are translations of the original 
queries 1 102, wherein certain column references axe replaced with mask ftmctions. 

The translation procedure 1210 is based on the access policies in effect 
(e.g., Fig. 8), AS can be seen, the original query 1102 is very si mil a r to the translated 
query 1202. Where the access policy calls for a column reference to be masked, the 
column reference is replaced with an appropriate function call to a mask function. 

Consider the original query 1 102, for example. Here, the columns which 
the access policy requires masking are: PTJD, VST, PJSTM, MDJD* andDJSM (Fig. 
9). Table IE below shows the replacement scheme: 

TABLE H 

Column Reference Mask Function Replacement 

PTJD MASK.FT JPCc-PTJD, i.VST) PTJD 
VST MAJSE.VST{i,PT_ID J i.VST)VST 

PJNM ■ MASKJM^ 
MDJCD MASK.MD JX)(iMDJDD> MD JED 
. DJSM MASKD J<M(LMDJD S m,D_KM) D_NM 

Note that the table or view ID should be modified to the appropriate name, 
according to the FROM clause of each query. For example "c/\ "p "rn."> should 
be modified. As can b e seen the translation process 1210 is simply a textual replacement 
iti the original query of the masked column references by their corresponding function 
calls. The information contained in Table H can be used in conjunction with a text editor 
to produce the translated query 1202 shown in Fig, 12. The translation process can be a 
standard editor, e.g., flic Unix streaming text editor is especially applicable. The 
translation process can be a custom piece of software, or even some combination of 
hardware and software, The translation task called for by the present invention can be 
provided using any of a number of conventional techniques. 
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Continuing with Fig. 12, the translation process 121 0 converts an original 
query 11 02 into a translated query 1202. The translated query is then transmitted to the 
DBMS 702, where the query is executed The DBMS includes a set of user-defined 
functions 1212* Included in those user-defined Amotions ere the mask function 
definitions 1222, 

Fig, 12 also shows in the user-defined functions a set of filter functions 
1224, The filter functions perform in the same manner as the masfcfimctions. Where the 
mask ftmctions serve to mask out columns in accordance with tbe access policy, the filter 
functions serve to mask out rows (records) per a row eliioiiiation policy. Filter functions 
require one or more key parameters that determine whether a row is to be retained or 
eliminated. In an embodiment of the invention the filter ftmction returns a binary value 
such as TRUE/FALSE. It ia used in a "WHERE clause of an SQL query to limit the rows 
that are returned in accordance with the row elimination policy. An example of a filter 
function 1204 is shown in Fig- 12. 

The disclosed embodiments axe based on relational databases and SQL- 
type query languages. However^ it can be appreciated by a person of ordinary skill in the 
database art that the mask and filter function approach can be provided in other database 
systems, la a relational database system* the present invention can provide cell-level data 
access control with no impact to the underlying database engine. 

The translation process 1210 obviates the tedious and error-prone task of 
modifying existing report templates. The translation process can occur on-tfte-fly as each 
query is sent to the database. In another embodiment of the invention, the translation 
process can be run once (e.g., manually performed by the database administrator) on all 
of the templates to produce a new set of templates that use file mask and filter fractions. 
This embodiment is attractive from a throughput point of vieWj since the translation needs 
to be performed only when a report template is changed fia yet another embodiment of 
the invention, the translation process can be located at theDBMS 702, intercepting all 
incoming queries and making the translations on-the-fly. The translation process could 
be a manually performed task. The specific approach will be determined based on 
performance criteria,' resources, the nature of the use of the database, the number of 
reports and so on. 

Since the mask functions are stored in the DBMS, a change in the access 
policy amounts to simple re-writing of the mask and filter functions. There is no need to 
affect the existing application logic. If the access policy changes which columns are to be 
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masked, then the translation process 1210 would be updated accordingly. For example, if 
we want to add AGE column as a mask column, the original SQL in Fig. 2 might be 
changed as shown in Fig. 13 by the replacement of the AGE column with a mask function 
1302. 

Although specific embodiments of the invention have been described, 
various modifications, alterations, alternative constructions, and equivalents are also 
encompassed within the scope of the invention. The described invention is not restricted 
to operation within certain specific data processing environments, but is fiee to operate 
within a plurality of data processing environments. Although the present inventionhas 
been described in tenns of specific embodiments, it should be apparent to those slatted in 
the art that the scope of tbs present invention is not limited to the described specific 
embodiments. 

The specification and drawings are, accordingly, to be regarded in an 
illustrative rather than a restrictive sense, It will, however, be evident that additions, 
subtractions, substitutions, and other modifications may be made without departing from 
the broader spirit and scope of the invention as set forth in the claims. 

4 Brief Description of Drawings 

Fig- 1 illustrates an example of a data organization for hospital-related 

data; 

Fig. 2 illustrates the views of fee data shown in Fig. 1 5 typically required 

by physicians; 

Fig, 3 shows a view definition which produce the views shown in Fig. 2; 
Fig. 4 shows a SQL statement with aggregation; 

Fig, 5 shows the result of an aggregation inquiry on a view defined by a 
conventional view definition; 

Fig. 6 shows a prior art view definition with aggregation; 

Fig. 7 shows web-based reporting system architecture which can be' 
adapted with the present invention; 

Fig. S illustrates atypical example of a data access policy; 

Fig. ^9 shows an illustrative example of a table schema in a database 

system; 
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Fig. 1 0 shows an example template of a mask fraction according to the 

invention; 

Fig, 1 1 illustrates an. SQL prior to modification; 

Fig* 12 shows an overview of tie cell-level access control architecture in 
an embodiment of the invention; and 

Kg. 13 illustrates how changes to the access policy can be readily 
accommodated in the present invention. 
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CREATE VIEW INPT_FACT AS 

SELECT (CASE WHEN MDJD a user-id THEN PTJD ELSE NULL END) PTJD, 
(CASE WHEN MDJD = user-id THEN VST ELSE NULL END) VST, 
(CASE WHEN MDJD = user-Id THEN P_NM ELSE NULL END) P_NM, 
AG EE SEl^C 

(CASE WHEN MDJD m user-id THEN MDJD ELSE NULL END) MDJD, 
DRG, STAY, COST, PYMT ' 
FROM INPTJ3ASE; 



FIG. 3 



SELECT MDJD, COUNTP) VOL, 

AVG(STAY) AVQ_STAY, AVG(COST) AVG_C0ST, AVG(PYMT) AVG_PYMT 
FROM INPT_FACT 

GROUP BY MDJD ORDER BYAVQ STAY DESC; 



FIG. 4 
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CREATE VIEW INPT_GRP_BY_MD ' 

SEL I£TX?A^, W , HEN MDJD = user-idTHEH MDJD ELSE NULL END) MD ID, 
t/UUNTf ) VOL, "~ 

jyS&tfW AVG„STAY, AVGfCOST) AVG_COST, AVG(PYMT) AVQPYMT 
FROM- (NPTJBASE GROUP BY MDjD ORDER BY AVG^STAY DEScT 
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Access 
Level 


Role 


Access Policy 


I 


Executive 


Access to all. data. 


I! 


Medical Doctor 


Access to doctor's own patient visit data only. . 
The patient privacy information of the other patient 
visit data should be blinded. The other medical 
doctor's privacy information should be also blinded. 


ill 


Financial Analyst 


Access to financial Iniormatton without any medical 
•doctor's information- 
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CREATE OR REEfc&GE EACK^ffi BODY <schma_rBme>.1&^JS - — - - - — 
FONCTION PJSM(KEY_PT_II5 TOMBER, KBY_VST NCMfiER, OBGJBJM VSROia£2) 

RETURN WiBCHAR2 ■ ^ v ' ST ' 

IS 1002 10 ^ 04 

BEGIN 

/* BDllcy logic to decide whether or not ws should mask the PJM */ 

/* If" we should mask the value, then return masted value. Otliervd.se/ */ 

1006 /* return the original value. */ 

/* Original Value */ 
ELSE RSIDRN M&SKES^PJSM (QRG^PJSMJ ; 

/ /* - Masted value~defined fcy default mask value function */ 
J2&D IF; -j o^Q 
END PJ>M; 
END MASK; 
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SELECT cPTJD, 
I.VST, 

p.AGE, p.SEX, 
I.MDJD, 
m.D_NM, 
LDRG, i.STAY, ... 
FROM INPT.FACT I, MD_FACT m, PT_FACTp ■ 
WHERE l.PTJD«p.PTJD AND I.MDJD - m.MDJD AND ... ; 



1102 



FIG. 11 



SELECT MASK.PTJD{c.FTJD, LVST) PTJD, 
MASK. VST{LPTJD,i.VST) VST, 
.MASK.P_NMa.PTJD, i.VST, p.P_NM) PJMM, 
{ MASKAGE0.F7_/q, /. VST, p.AGE) AGE, }- 

MASK. MD J DOM D J D) MDJD, 
MASK.D_NMfi.MDJD, mD_NM) DJiM, 
i.DRG, ISTAX ... 

FROM tNPTJ=ACTIJWDJ=ACT ra,PT_FACTp . 

WHERE i.PTJD^.PTjDAND i.MDjU = H1.MDJD AND . 
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1 Abstract 

Access control at the cell level is provided by the use of mask functions. 
Original queries are modified to contain mask functions for those cells which controlled 
access in accordance with an access policy is desired. In addition, filter functions are 
included to eliminate rows according to the access policy 

2 Representative Drawing 
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